Analecta Cyber Company Blog: 1,400 Vulnerabilities Found in Popular Drug Cabinet System

2016-04-14

1,400 Vulnerabilities Found in Popular Drug Cabinet System

The Department of Homeland Security issued an advisory indicating the detection of over 1,400 vulnerabilities inside a popular drug cabinet system. According to the report, most of these vulnerabilities could be remotely exploited with the use of publicly available exploits. What's amusing about the discovery is that a hacker could take advantage of these exploits regardless of his skill level.


These types of automated drug cabinets dispense products and sustain an exact inventory in real time. Affected versions of the drug cabinets were developed by CareFusion and were identified to be operating the version 8.1.3 of the Pyxis SupplyStation.

According to investigations, the vulnerabilities appeared because the cabinets have not been updated to a newer version since April 2010. It’s also known that a number of older versions still exists and remain operational in various facilities across the United States.

The research was conducted by two independent security researchers. They obtained a decommissioned Pyxis SupplyStation unit and started conducting a static binary analysis against the system’s firmware. All in all, the researchers have discovered 1,418 vulnerabilities in the version they tested.

The researchers uncovered that the bugs that could be remotely exploited were located in 86 different files within seven different software vendor packages. These includes the Symantec’s Antivirus 9 and pcAnywhere 10.5, Sybase SQL Anywhere 9, SAP Crystal Reports 8.5, Flexera Software Installshield, BMC Appsight 5.7, and Microsoft Windows XP.

Upgrades can protect data

The white hat hackers cleared the misconception that numerous vulnerabilities exist in the drug cabinet system itself. On the contrary, they exist in the machines running with third party software which was not updated to its most recent version. These machines run on old versions of the Pyxis SupplyStation with the Microsoft Server 2003 and Windows XP. Researchers reached out to its provider, the CareFusion, and the company confirmed that several versions of Pyxis SupplyStation were affected, including versions 8 through to 9.3. And since the affected versions operate on outdated and already unsupported software, the vulnerabilities discovered will not be fixed by only using patches.

As an alternative, CareFusion advised its users on measures that will lessen the risk of the vulnerabilities when exploited. One suggestion is to isolate systems by not connecting to the Internet. And if they cannot operate without the internet connection, CareFusion recommends running via a VPN. The company added that if users utilize pcAnywhere, it must be running on Version 12.5 Service Pack 4 or newer versions, and advised to remove it if not in use. The ESET virus definitions should also be updated at all times and all Microsoft patches must be applied once available.

A tracking feature on the password history was also recommended to be enabled at all times. Users should always set strong passwords using the extended password feature. But, if possible, it is still best to upgrade the drug cabinet system to supported versions which do not contain any of these vulnerabilities.